Upload
others
View
39
Download
1
Embed Size (px)
Citation preview
WHAT IS AN IDS?
• An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.
• An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.encrypted traffic.encrypted traffic.
WHAT IS AN IPS?
• An Intrusion Prevention System is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention
• An Intrusion Prevention System is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion preventionwhile still allowing all other traffic to pass. Intrusion preventiontechnology is considered by some to be an extension of intrusion detection (IDS) technology. The term "Intrusion Prevention System" was coined by Andrew Plato who was a technical writer and consultant for *NetworkICE.
while still allowing all other traffic to pass. Intrusion preventiontechnology is considered by some to be an extension of intrusion detection (IDS) technology. The term "Intrusion Prevention System" was coined by Andrew Plato who was a technical writer and consultant for *NetworkICE.
• IPS systems have some advantages over intrusion detection systems (IDS). One advantage is they are designed to sit inline with traffic flows and prevent attacks in real-time. In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP which provides greater awareness. However, when deploying network-based IPS(NIPS), consideration should be given to whether the network segment is encrypted since not as many products are able to support inspection of such traffic.
• IPS can do more than just drop packets. Because an IPS is inline, it does not have to interpret the network stack. An IPS can correct CRC, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. Intrusion detection system unwanted transport and network layer options. Intrusion detection system evasion techniques were made famous by Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection and can be addressed with IPS. IPS that have evolved from IDS tend to still have these issues for the software was designed with detection and not the concept of correction in mind.
Why consider SNORT for your network security
• Open Source Application.
• Can be implemented transparently.
• Can be used to protect the “Microsoft” environment (please don’t throw stuff at me)
• Filtering of specific data and hard to detect traffic such as P2P (torrents/ares/kazaa anyone?).
• Detecting and stopping exploits as it crosses your network. • Detecting and stopping exploits as it crosses your network.
• World’s most widely used IDS/IPS.
SCOPE
• This presentation covers “SNORT” and not the linux system, web or database administration.
• All software used is all open source and free (welllllll… excepting for the windows XP the VMs are running on)
TESTING ENVIRONMENT
Hardware:
Vmware Server : 512 MB RAMAMD Turion 64x2 2.0GHZ
Software:1. Centos 5.2 (fully patched)2. SNORT (IDS/IPS)3. SNORT RULES3. SNORT RULES4. APACHE5. ADODB6. B.A.S.E (Basic Analysis and Security Engine)7. Libpcap (packet capture)8. PCRE (Perl Compatible Regular Expressions)9. LIBNET (generic networking API that provides access to several protocol.)
Setup Type:SNORT INLINE (TRANSPARENT)
TEST ENVIRONMENT
REQUIREMENTS
Packages :
yum update –y
restart
yum install bridge-utils mysql pear httpd mysql-devel mysql-server php php-gd php-mysql php-devel php-pear libnet iptables-devel mysql-bench pcre-devel gd mod_ssl glib2-devel gcc-c++ libpcap-devel php-pear yum-utils
pear channel-update pear.php.net
pear install –a Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
cd /root
mkdir snort-downloads
cd snort-downloads
wget http://dl.snort.org/reg-rules/snortrules-snapshot-CURRENT.tar.gz
wget http://www.hacktoolrepository.com/files/Libraries/libnet%20version%201.0.2a/Libnet-1.0.2a.tar.gz
wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz
wget http://ufpr.dl.sourceforge.net/sourceforge/libnet/libnet-0.10.11.tar.gz
wget http://hivelocity.dl.sourceforge.net/sourceforge/secureideas/base-1.4.3.1.tar.gz
wget http://hivelocity.dl.sourceforge.net/sourceforge/adodb/adodb4991.tgz
wget http://dl.snort.org/snort-beta/snort-2.8.5.beta.tar.gz
wget http://ufpr.dl.sourceforge.net/sourceforge/libnet/libnet-0.10.11.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz
Setting up the interface bridge
1. ifconfig eth0 0.0.0.0
2. ifconfig eth1 0.0.0.0
3. ifconfig eth0 up
4. ifconfig eth1 up4. ifconfig eth1 up
5. brctl addbr bridge
6. brctl addif bridge eth0
7. brctl addif bridge eth1
8. ifconfig bridge 172.17.17.253 netmask 255.255.255.0
9. ifconfig bridge up
10. route add default gw 172.17.17.2
Compiling libnet-1.0.2a
[root@snort snort-downloads]# pwd
/root/snort-downloads
[root@snort snort-downloads]# tar -zxvf Libnet-1.0.2a.tar.gz
[root@snort snort-downloads]# cd Libnet-1.0.2a
[root@snort Libnet-1.0.2a]# ./configure && make && make install
Compiling libpcap
[root@snort snort-downloads]# pwd
/root/snort-downloads
[root@snort snort-downloads]# tar –zxvf libpcap-1.0.0.tar.gz
[root@snort libpcap-1.0.0]# cd libpcap-1.0.0
[root@snort libpcap-1.0.0]# ./configure && make && make install
Compiling pcre
[root@snort snort-downloads]# pwd
/root/snort-downloads
[root@snort snort-downloads]# tar -zxvf pcre-7.9.tar.gz
[root@snort snort-downloads]# cd pcre-7.9
[root@snort pcre-7.9]# ./configure && make && make install
Compiling Snort for Inline
[root@snort snort-downloads]# pwd
/root/snort-downloads
[root@snort snort-downloads]# tar -zxvf snort-2.8.4.tar.gz
[root@snort snort-downloads]# cd snort-2.8.4
[root@snort snort-2.8.4]# ./configure --enable-sourcefire --enable-targetbased --enable-inline --with-mysql
[root@snort snort-2.8.4]# make && make install
CONFIGURING SNORT
[root@snort /]# groupadd snort [root@snort /]# useradd -g snort snort -s /sbin/nologin
[root@snort /]# mkdir /etc/snort[root@snort /]# mkdir /etc/snort/rules[root@snort /]# mkdir /var/log/snort
[root@snort snort-2.8.4]# cd etc[root@snort etc]# cp * /etc/snort[root@snort etc]# cd /root/snort-downloads
[root@snort snort-downloads]# tar -zxvf snortrules-snapshot-CURRENT.tar.gz[root@snort snort-downloads]# cd snortrules-snapshot-CURRENT.tar.gz_FILES[root@snort snortrules-snapshot-CURRENT.tar.gz_FILES]# mv so_rules /etc/snort[root@snort snortrules-snapshot-CURRENT.tar.gz_FILES]# mv so_rules /etc/snort[root@snort snortrules-snapshot-CURRENT.tar.gz_FILES]# mv doc /etc/snort[root@snort snortrules-snapshot-CURRENT.tar.gz_FILES]# mv rules /etc/snort[root@snort snortrules-snapshot-CURRENT.tar.gz_FILES]# mv etc /etc/snort[root@snort snortrules-snapshot-CURRENT.tar.gz_FILES]# cd /etc/snort[root@snort etc]# cp * /etc/snort/so_rules/precompiled/CentOS-5.0/i386/2.8.4 /usr/local/lib/snort_dynamicrules
touch /var/log/snort/alertchown snort:snort /var/log/alertchmod 600 /var/log/alert
[root@snort etc]#vi snort.conf
Change the following:
var RULE_PATH /etc/snort/rules
Uncomment : output database: log, mysql, user=snort password=snort dbname=snort host=localhost
CONFIGURING mySQL
[root@snort /]# chkconfig mysqld on
[root@snort /]# service mysqld start
Starting MySQL: [ OK ]
[root@snort /]#mysql
SET PASSWORD FOR root@localhost=PASSWORD('root');
create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD('snort');
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
exit
[root@snort bin]# mysql -p < /root/snort-downloads/snort-2.8.4.1/schemas/create_mysql snort
Enter password:
[root@snort bin]#
CONFIGURING APACHE,A.D.O.D.B, and B.A.S.E
[root@snort snort-downloads]# tar -zxvf adodb4991.tgz
[root@snort snort-downloads]# mv adodb /var/www/html
[root@snort snort-downloads]# tar -zxvf base-1.4.3.1.tar.gz
[root@snort snort-downloads]# mv base-1.4.3.1 /var/www/html/
[root@snort snort-downloads]# cd /var/www/html/
[root@snort html]# mv base-1.4.3.1 base
[root@snort html]# chown apache base
[root@snort html]# chgrp apache base
[root@snort html]# mkdir /var/www/html/base/signatures
[root@snort html]# cp /etc/docs/signatures/* /var/www/html/base/signatures/
Go to : http://127.0.0.1/base
Follow the Wizard to Setup the Database.
Step 1
Path to ADODB: /var/www/adodb
Step 2
Database name: snort
host: localhost
username: snort
password: snort
Step 3
User Account setup
Step 4
Create base AG
Step 5
Login B.A.S.E
CONFIGURING IPTABLES & SNORT
[root@snort bin]# modprobe ip_queue
[root@snort bin]# iptables -A FORWARD -i bridge -j QUEUE
[root@snort bin]# iptables-save
BRIDGE FILE (NOT REQUIRED)
I use the following in a script to start and setup the system to run sort.
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
ifconfig eth0 up
ifconfig eth1 up
brctl addbr bridge
brctl addif bridge eth0
brctl addif bridge eth1
ifconfig bridge 172.17.17.253 netmask 255.255.255.0ifconfig bridge 172.17.17.253 netmask 255.255.255.0
ifconfig bridge up
route add default gw 172.17.17.2
modprobe ip_queue
iptables -A FORWARD -i bridge -j QUEUE
Starting up SNORT for business
[root@snort /]# cd /usr/local/bin
[root@snort bin]# ./snort -Q -v -c /etc/snort/snort.conf -i bridge
To start SNORT in DAEMON MODE:
./snort -Q -c /etc/snort/snort.conf -i bridge -D
DEMONSTRATION
1. Identifying threats and other traffic
2. Stopping threats and other traffic
OTHER 3rd Party Plugins
1. Oinkmasteroinkmaster.sourceforge.net/
2. Barnyardwww.securixlive.com/barnyard2/index.php
Q & A
QUESTIONS ?QUESTIONS ?
REFERENCES
www.snort.org
www.wikipedia.com
www.centos.org
base.secureideas.net/